F-01 · Critical
Access reviews never performed; offboarding gaps
Observation. No user access review has been performed since company founding.
Offboarding sampling found a contractor separated in March who retained active GitHub
organization membership for 47 days, and an AWS IAM user with console access unused for 90+
days. Vanta's access review feature is enabled but no review has been initiated.
Why it matters (CC6.1–CC6.3 · CIS v8 Controls 5, 6). Access control is the most heavily
sampled area of a SOC 2 audit. A terminated user with live access during the observation
window is a near-certain exception — and the kind enterprise security reviewers ask about
directly.
Guided remediation. Document an access review procedure (quarterly, system-scoped,
with sign-off); run the first review now and remediate what it finds; add a same-day
deprovisioning checklist to the Rippling offboarding workflow; enable Vanta's offboarding
monitoring against the HRIS feed.
Effort: 2–3 weeks · Owner: Engineering lead + People Ops
F-02 · High
Cloud infrastructure configuration gaps
Observation. The AWS root account has two active access keys, one used by a
deployment script last rotated 14 months ago. CloudTrail is enabled in us-east-1
only — activity in other regions is unlogged. One security group permits SSH
(0.0.0.0/0, port 22) to a bastion host that MFA does not protect, and the S3
account-level public access block is not enforced (three buckets rely on per-bucket settings
alone).
Why it matters (CC6.1, CC6.6, CC7.1 · CIS v8 Controls 4, 8, 12). Root-account access keys are the
highest-privilege credential in the environment embedded in automation — a single leak is a
full-environment compromise, and auditors flag it immediately. Single-region CloudTrail means
the monitoring controls you'll claim in CC7.1 cannot be evidenced for most of the account
surface.
Guided remediation. Delete the root access keys and move the deployment script to a
scoped IAM role; convert CloudTrail to an all-region organization trail with log-file
validation; restrict bastion SSH to VPN/identity-gated sources and enforce MFA; enable the
account-wide S3 public access block. Vanta's AWS tests will confirm each fix automatically.
Effort: 2–3 days · Owner: Platform engineer
F-03 · High
Incident response plan exists on paper only
Observation. An incident response policy exists (template-derived) but has
never been exercised. There is no severity classification, no defined communication path for
customer-impacting incidents, and on-call responsibility is informal ("whoever sees it").
Two production incidents in the past year were resolved competently but produced no
post-incident documentation.
Why it matters (CC7.3–CC7.5 · CIS v8 Control 17). Auditors test whether incidents are
classified, escalated, and reviewed — an unexercised plan with no incident records reads as a
control that does not operate. The two undocumented incidents are evidence that should exist
and doesn't.
Guided remediation. Define a 4-level severity matrix with escalation and customer
notification rules; run one tabletop exercise against a realistic scenario and record it;
adopt a lightweight post-incident review template so every future incident produces evidence.
Effort: 1–2 weeks · Owner: CTO
F-04 · Medium
No vendor security review process
Observation. Helios uses 11 subprocessors with production-data access. There
is no vendor inventory, no record of any security review, no DPA on file for 3 of the 11, and
no assigned owner for vendor risk.
Why it matters (CC9.2 · CIS v8 Control 15). Vendor risk management is tested directly, and — more
urgently for Helios — enterprise procurement teams request the subprocessor list and DPAs
during security review. This gap will surface in the sales cycle before it surfaces in the
audit.
Guided remediation. Build the vendor inventory in Vanta; tier vendors by data
access; collect SOC 2 reports or security documentation for critical vendors annually;
execute the three missing DPAs; assign vendor-risk ownership.
Effort: 2 weeks · Owner: COO
F-05 · Medium
Source-control platform not hardened
Observation. Branch protection is absent on 2 of 14 GitHub repositories,
including one that deploys to production on merge. GitHub secret scanning and push protection
are disabled org-wide, and a live third-party API key was found in the commit history of an
archived repository (confirmed still valid during the assessment, revoked same day).
Why it matters (CC6.1, CC8.1 · CIS v8 Controls 4, 16). Unprotected production-deploying branches
defeat the change-management control you'll claim under CC8.1 — the PR-review requirement is
policy, not enforcement. A valid credential in git history is an active exposure, not a
historical one: history is readable by every past and present collaborator.
Guided remediation. Enforce branch protection (required review + status checks) on
all production-path repositories; enable org-wide secret scanning and push protection; sweep
history for credentials with a scanning tool, rotate anything found, and document the
rotation as evidence.
Effort: 2–3 days · Owner: Engineering lead
F-06 · Low
Template policies not tailored to the actual environment
Observation. The policy set was generated from templates and approved
wholesale. The password policy references on-premises Active Directory (Helios has none); the
data classification policy defines four levels that appear nowhere else in practice.
Why it matters (CC5.3 · CIS v8 requires enterprise-specific process documentation across most safeguards). Policies that describe systems you don't run signal
to an auditor that policies aren't operationalized — it invites deeper sampling everywhere
else. Low severity, but cheap credibility to reclaim.
Guided remediation. Tailor each policy to the real stack during the next review
cycle; delete inapplicable sections rather than leaving them "just in case"; align the data
classification levels with how data is actually labeled in practice.
Effort: 1 week, rolling · Owner: CTO
A finding without a path to fixed is just bad news. Every finding maps to both the SOC 2 Trust
Services Criteria your auditor will test and the CIS Controls v8 safeguards that describe the
underlying practice — and every remediation is written to be executed, not admired: specific
mechanisms, effort, and owner. When clients continue into a Kickstart or readiness engagement, we
implement these fixes alongside your team — configuration walkthroughs, evidence templates, and
validation in your GRC platform — rather than handing you a to-do list and an invoice.